$expired = $params->def('expired', ''); $expired_time = $params->def('expired_time', ''); // if now expired link set or expired time is more than half the admin session life set, simply load normal admin homepage $checktime = ($mosConfig_session_life_admin ? $mosConfig_session_life_admin : 1800) / 2; if (!$expired || $now - $expired_time > $checktime) { $expired = 'index2.php'; } // link must also be a Joomla link to stop malicious redirection if (strpos($expired, 'index2.php?option=com_') !== 0) { $expired = 'index2.php'; } // clear any existing expired page data $params->set('expired', ''); $params->set('expired_time', ''); // param handling if (is_array($params->toArray())) { $txt = array(); foreach ($params->toArray() as $k => $v) { $txt[] = "{$k}={$v}"; } $saveparams = implode("\n", $txt); } // save cleared expired page info to user data $query = "UPDATE #__users" . "\n SET params = " . $database->Quote($saveparams) . "\n WHERE id = " . (int) $my->id . "\n AND username = "******"\n AND usertype = " . $database->Quote($my->usertype); $database->setQuery($query); $database->query(); } // check if auto_purge value set if ($my->cfg_name == 'auto_purge') { $purge = $my->cfg_value; } else {
function showItem($uid, $gid, &$access, $pop, $option = 'com_content', $now) { global $database, $mainframe, $Itemid; global $mosConfig_MetaTitle, $mosConfig_MetaAuthor; $now = _CURRENT_SERVER_TIME; $nullDate = $database->getNullDate(); if ($access->canEdit) { $xwhere = ''; } else { $xwhere = " AND ( a.state = 1 OR a.state = -1 )" . "\n AND ( a.publish_up = " . $database->Quote($nullDate) . " OR a.publish_up <= " . $database->Quote($now) . " )" . "\n AND ( a.publish_down = " . $database->Quote($nullDate) . " OR a.publish_down >= " . $database->Quote($now) . " )"; } // main query $query = "SELECT a.*, u.name AS author, u.usertype, cc.name AS category, s.name AS section, g.name AS groups," . "\n s.published AS sec_pub, cc.published AS cat_pub, s.access AS sec_access, cc.access AS cat_access," . "\n s.id AS sec_id, cc.id as cat_id" . "\n FROM #__content AS a" . "\n LEFT JOIN #__categories AS cc ON cc.id = a.catid" . "\n LEFT JOIN #__sections AS s ON s.id = cc.section AND s.scope = 'content'" . "\n LEFT JOIN #__users AS u ON u.id = a.created_by" . "\n LEFT JOIN #__groups AS g ON a.access = g.id" . "\n WHERE a.id = " . (int) $uid . $xwhere . "\n AND a.access <= " . (int) $gid; $database->setQuery($query); $row = NULL; if ($database->loadObject($row)) { /* * check whether category is published */ if (!$row->cat_pub && $row->catid) { mosNotAuth(); return; } /* * check whether section is published */ if (!$row->sec_pub && $row->sectionid) { mosNotAuth(); return; } /* * check whether category access level allows access */ if ($row->cat_access > $gid && $row->catid) { mosNotAuth(); return; } /* * check whether section access level allows access */ if ($row->sec_access > $gid && $row->sectionid) { mosNotAuth(); return; } $params = new mosParameters($row->attribs); $params->set('intro_only', 0); $params->def('back_button', $mainframe->getCfg('back_button')); if ($row->sectionid == 0) { $params->set('item_navigation', 0); } else { $params->set('item_navigation', $mainframe->getCfg('item_navigation')); } // loads the links for Next & Previous Button if ($params->get('item_navigation')) { // Paramters for menu item as determined by controlling Itemid $menu = $mainframe->get('menu'); $mparams = new mosParameters($menu->params); // the following is needed as different menu items types utilise a different param to control ordering // for Blogs the `orderby_sec` param is the order controlling param // for Table and List views it is the `orderby` param $mparams_list = $mparams->toArray(); if (array_key_exists('orderby_sec', $mparams_list)) { $order_method = $mparams->get('orderby_sec', ''); } else { $order_method = $mparams->get('orderby', ''); } // additional check for invalid sort ordering if ($order_method == 'front') { $order_method = ''; } $orderby = _orderby_sec($order_method); // array of content items in same category correctly ordered $query = "SELECT a.id" . "\n FROM #__content AS a" . "\n WHERE a.catid = " . (int) $row->catid . "\n AND a.state = " . (int) $row->state . ($access->canEdit ? '' : "\n AND a.access <= " . (int) $gid) . $xwhere . "\n ORDER BY {$orderby}"; $database->setQuery($query); $list = $database->loadResultArray(); // this check needed if incorrect Itemid is given resulting in an incorrect result if (!is_array($list)) { $list = array(); } // location of current content item in array list $location = array_search($uid, $list); $row->prev = ''; $row->next = ''; if ($location - 1 >= 0) { // the previous content item cannot be in the array position -1 $row->prev = $list[$location - 1]; } if ($location + 1 < count($list)) { // the next content item cannot be in an array position greater than the number of array postions $row->next = $list[$location + 1]; } } // page title $mainframe->setPageTitle($row->title); if ($mosConfig_MetaTitle == '1') { $mainframe->addMetaTag('title', $row->title); } if ($mosConfig_MetaAuthor == '1') { $mainframe->addMetaTag('author', $row->author); } show($row, $params, $gid, $access, $pop); } else { mosNotAuth(); return; } }
function initSessionAdmin($option, $task) { global $_VERSION, $mosConfig_admin_expired; // logout check if ($option == 'logout') { require $GLOBALS['mosConfig_absolute_path'] . '/administrator/logout.php'; exit; } $site = $GLOBALS['mosConfig_live_site']; // check if session name corresponds to correct format if (session_name() != md5($site)) { echo "<script>document.location.href='index.php'</script>\n"; exit; } // restore some session variables $my = new mosUser($this->_db); $my->id = intval(mosGetParam($_SESSION, 'session_user_id', '')); $my->username = strval(mosGetParam($_SESSION, 'session_username', '')); $my->usertype = strval(mosGetParam($_SESSION, 'session_usertype', '')); $my->gid = intval(mosGetParam($_SESSION, 'session_gid', '')); $my->params = mosGetParam($_SESSION, 'session_user_params', ''); $session_id = mosGetParam($_SESSION, 'session_id', ''); $logintime = mosGetParam($_SESSION, 'session_logintime', ''); if ($session_id != session_id()) { // session id does not correspond to required session format echo "<script>document.location.href='index.php?mosmsg=Invalid Session'</script>\n"; exit; } // check to see if session id corresponds with correct format if ($session_id == md5($my->id . $my->username . $my->usertype . $logintime)) { // if task action is to `save` or `apply` complete action before doing session checks. if ($task != 'save' && $task != 'apply') { // test for session_life_admin if (@$GLOBALS['mosConfig_session_life_admin']) { $session_life_admin = $GLOBALS['mosConfig_session_life_admin']; } else { $session_life_admin = 1800; } // purge expired admin sessions only $past = time() - $session_life_admin; $query = "DELETE FROM #__session" . "\n WHERE time < '" . (int) $past . "'" . "\n AND guest = 1" . "\n AND gid = 0" . "\n AND userid <> 0"; $this->_db->setQuery($query); $this->_db->query(); $current_time = time(); // update session timestamp $query = "UPDATE #__session" . "\n SET time = " . $this->_db->Quote($current_time) . "\n WHERE session_id = " . $this->_db->Quote($session_id); $this->_db->setQuery($query); $this->_db->query(); // set garbage cleaning timeout $this->setSessionGarbageClean(); // check against db record of session $query = "SELECT COUNT( session_id )" . "\n FROM #__session" . "\n WHERE session_id = " . $this->_db->Quote($session_id) . "\n AND username = "******"\n AND userid = " . intval($my->id); $this->_db->setQuery($query); $count = $this->_db->loadResult(); // if no entry in session table that corresponds boot from admin area if ($count == 0) { $link = NULL; if ($_SERVER['QUERY_STRING']) { $link = 'index2.php?' . $_SERVER['QUERY_STRING']; } // check if site designated as a production site // for a demo site disallow expired page functionality // link must also be a Joomla link to stop malicious redirection if ($link && strpos($link, 'index2.php?option=com_') === 0 && $_VERSION->SITE == 1 && @$mosConfig_admin_expired === '1') { $now = time(); $file = $this->getPath('com_xml', 'com_users'); if (version_compare(PHP_VERSION, '5.2.0') >= 0) { $params = new mosParameters($my->params, $file, 'component'); } else { $errorlevel = error_reporting(); error_reporting(0); $params = new mosParameters($my->params, $file, 'component'); error_reporting($errorlevel); } // return to expired page functionality $params->set('expired', $link); $params->set('expired_time', $now); // param handling if (is_array($params->toArray())) { $txt = array(); foreach ($params->toArray() as $k => $v) { $txt[] = "{$k}={$v}"; } $saveparams = implode("\n", $txt); } // save expired page info to user data $query = "UPDATE #__users" . "\n SET params = " . $this->_db->Quote($saveparams) . "\n WHERE id = " . (int) $my->id . "\n AND username = "******"\n AND usertype = " . $this->_db->Quote($my->usertype); $this->_db->setQuery($query); $this->_db->query(); } echo "<script>document.location.href='index.php?mosmsg=Admin Session Expired'</script>\n"; exit; } else { // load variables into session, used to help secure /popups/ functionality $_SESSION['option'] = $option; $_SESSION['task'] = $task; } } } else { if ($session_id == '') { // no session_id as user has not attempted to login, or session.auto_start is switched on if (ini_get('session.auto_start') || !ini_get('session.use_cookies')) { echo "<script>document.location.href='index.php?mosmsg=You need to login. If PHP\\'s session.auto_start setting is on or session.use_cookies setting is off, you may need to correct this before you will be able to login.'</script>\n"; } else { echo "<script>document.location.href='index.php?mosmsg=You need to login'</script>\n"; } exit; } else { // session id does not correspond to required session format echo "<script>document.location.href='index.php?mosmsg=Invalid Session'</script>\n"; exit; } } return $my; }